Following its warning for state agencies to secure data to avoid cyberattacks, the Washington Auditor’s office was gravely hit by a breach exposing the private information of 1.4 million people.
Unnamed threat actors compromised the auditor’s office computer files, leaving all data out in the public. According to reports, private data exposed included full names, driver’s license, Social Security, bank account numbers, and more.
This incident was dubbed the biggest cyber breach in the history of the Washington state agency. The exposed information includes full audit data of 25 state agencies and 100 local governments, plus Seattle.
Moreover, the adoption data of around 30 children and their families were affected by the data breach. The agency’s lack of transparency in the matter angered residents who got their information stolen and exposed.
Some people said they’ve only learned about the leak through media accounts, without any sort of warning from the auditor’s office itself. This incident raises concerns over the agency’s move to hire outside vendors for handling sensitive data and of the state agency’s response.
The office didn’t disclose the incident until Feb. 1, even though they’re aware of it since January 12. Washington Auditor Pat McCarthy’s office put the blame on Accellion, a California-based file transfer firm.
Accellion’s FTA service was used by the state agency for more than a decade for transmitting and storing confidential data. Others question the office’s need to amass a large number of personal information.
The Seattle Times’ cybersecurity experts cite McCarthy’s office as ‘culpable’ as it relies on the two-decade-old technology.
“Given the nature of the data and the risk of harm, certainly there should have been heightened security and heightened care given to this type of data transfer,” said Privacy Rights Clearinghouse policy counsel Emory Roane.
A Seattle law firm has filed a lawsuit against Accellion for the file-transfer breach. This lawsuit was backed by more than one million people whose information was compromised by the data breach.
The law firm cited Accellion’s negligence in handling customer information and violating Washington’s Consumer Protection Act, which the auditor’s office use for its systems.
In the lawsuit, it was highlighted how Accellion was aware of vulnerabilities of the FTA service, yet it sold the product to the Washington Auditor’s Office.
The data breach affected anyone who filed for unemployment between January 1 and December 10, 2020.